Handling Computer Hardware in a Computer Forensics Investigation

As an aspiring computer forensics investigator, you should develop an understanding of computer hardware, for a number of reasons. This chapter from A Practical Guide to Computer Forensics Investigations covers the importance of being able to recognize different types of computer hardware; the various disk drive interfaces that an investigator can encounter; the types of devices used to forensically extract data from different storage devices; the variety of storage media used and how this evidence should be handled and analyzed; and
the use of storage media in actual investigations.

This chapter is from the book

After reading this chapter, you will be able to understand the following:

The importance of being able to recognize different types of computer hardware;

The various disk drive interfaces that an investigator can encounter;

The types of devices used to forensically extract data from different storage devices;

The variety of storage media used and how this evidence should be handled and analyzed; and

The use of storage media in actual investigations.

Introduction

As an aspiring computer forensics investigator, you should develop an understanding of computer hardware, for a number of reasons. The first reason is that certain types of systems and hardware will only support certain types of software, in terms of operating system, file system, and applications. For example, it is important to understand that an Intel-based Mac can support both Mac OS X and its related HFS+ file system. Nevertheless, that same computer can also support a Windows operating system and related NTFS file system when Boot Camp is running. Boot Camp is a utility that is included with Mac OS X 10.6 (Snow Leopard) that enables a user to run a Windows operating system on an Intel-based Mac.

Being cognizant of the diversity of computer hardware is also necessary because you need to know how systems can be connected to external devices, like routers or external hard drives. These connected devices, like routers, will often contain digital evidence and may need to be seized if a warrant permits. The investigator might also need to be able to reconstruct the computer and its devices when she returns to the laboratory.

Computer hardware, operating system(s), and applications also determine the kind of computer forensics tools necessary to acquire evidence from that system. For example, Mac Marshall Forensic software can be used to image (a strategy you learn about later in this chapter) a MacBook Pro running Mac OS X while Guidance Software’s EnCase can be used to image a computer running Windows. Knowing that a computer is running Windows may not always be enough, however, because the version of the operating system should influence an investigator’s decision regarding the type of forensic software to use. Additionally, the type of investigation determines the value of different types of evidence and guides the investigator to choose the most appropriate forensic tool. For example, in a case against an alleged sex offender, a computer forensics investigator might choose to use X-Ways Forensics, which has a particularly effective filtering feature for searching images for skin tones. Realistically, though, many local police departments simply do not have the budgets to purchase the full array of forensic tools and thus do not have the luxury of selecting the most appropriate tool. Moreover, even if they could purchase some of these tools, they do not have the training budget to support their usage.

Proper planning for an investigation is critical. This entails knowing different computer hardware, like hard drives and other devices, to purchase the appropriate equipment. As you will learn from this chapter, many of the connections and related forensic hardware cannot be purchased at a local Staples stationary store if you need something; much of the forensic hardware is specialized and is only available from a very limited number of suppliers.

Finally, the handling of computer hardware in an investigation has legal ramifications. Evidence must be seized and handled in accordance with standard operating procedures that follow the law in that jurisdiction. Ultimately, the process by which you acquired the evidence is just as important as the evidence itself.